A Software-Defined Perimeter (SDP), as specified and endorsed by the Cloud Security Alliance (CSA), offers great potential in stopping or preventing many types of application attacks. Juanita Koilpillai, CEO of Waverley Labs, discusses how this technology works and how it may be applied to the cloud and IoT environments. Waverley Labs has developed and published an open source version of SDP based on the CSA specification. Learn more about how this technology works in this interview with ActiveCyber.

I have been quite interested in the SDP specification developed and published by the Cloud Security Alliance (CSA) for some time since I believe it has great merit in meeting many goals related to active cyber defenses. So I was delighted recently when I ran into Juanita while attending the DHS Science and Technology Cyber Showcase who was presenting her company’s SDP capabilities. I threw a lot of questions at her about the technology in general as well as her company’s work on an open source SDP controller, and it was pretty evident to me that she was an expert on the technology. So I was very happy when she accepted to do this interview. Read the interview below to learn more about this important technology and how you can apply it to protect the services running in your cloud and IoT environments.

August 21, 2017

Chris Daly, ActiveCyber: What is the background for the genesis of Software-Defined Perimeter (SDP) and how has it evolved? What role did Waverley Labs play in this evolution? Where has it been implemented?

Juanita Koilpillai, CEO Waverley Labs: The Software Defined Perimeter (SDP) is an architectural specification that is evolutionary in that it builds upon known controls such as the ‘need to know’ access model verified in the DoD, device verification proven by NSA, and Mutual Transport Layer Security promoted by NIST. The Software Defined Perimeter is also revolutionary in that it extends the protection to the perimeter that is changing with the advent of mobile devices and the Internet of Things (IoT). Cloud Security Alliance adopted the specification for its membership and Waverley Labs spearheaded an open source reference implementation of the SDP specification as a member of the Cloud Security Alliance SDP Working Group.

ActiveCyber: What are the major components of the SDP architecture and how do they individually contribute to the overall capability?

Koilpillai: The SDP architecture consists of five components of security protections: single packet authorization (sometimes referred to as port knocking), mutual transport layer security, device validation, dynamic firewalls, and application binding. Together, these protocols make it very difficult for attackers to access, let alone modify protected applications and data. Dynamic firewalls with a “deny all” ruleset hide all services behind that firewall. Single Packet Authorization (SPA) validates users on devices prior to opening up the firewall to make secure connections to hidden services. Mutual transport layer security encrypts a two-way handshake/communication channel. Device validation ensures only known devices connect to hidden services. Application binding allows connections to be made ONLY to the authorized service and no other hidden service and the connection is deleted once the job is done.

ActiveCyber: What are the classes of protections enabled by SDP (e.g., DDOS protection, access control, etc.)? What are the potential benefits provided?

ActiveCyber: How can the benefits of SDP be extended to new models of computing such as cloud, mobile, and IoT?

Koilpillai: SDP provides a simple way to integrate key controls by separating the control channel from the data channel, a paradigm well-suited for cloud environments. SDP also requires device validation and fingerprinting – protections that make the use of mobile devices when accessing critical data more secure. Since SDP is an architecture that can be designed from inception, newer IoT devices can include a simple and elegant SPA protocol to create secure connections while hiding IoT devices from public access.

ActiveCyber: Mutual TLS as a SDP method may be too heavy and may not support the mesh network that is needed for IoT… what alternatives exist for IoT?

Koilpillai: Most if not all 2-way communications for IoT (MQTT, XMPP, DDS, AQMP) use the TCP/IP protocol. Some even use HTTP (also uses TCP/IP) as the underlying protocol. We may be speculating that Mutual TLS as a method is too heavy and we won’t know without proper testing. If so, a quick and easy solution may be to use MD5 hashes over TCP/IP of messages passing between IoT devices to have some level of encryption for data being passed between devices.

ActiveCyber: How do orchestrators or controllers involved in SDP complement or interoperate with Software-Defined Network (SDN) controllers?

Koilpillai: SDP controllers provide the management of users, devices, connections, gateways and keys to manage secure connections over the IP infrastructure. SDN controllers manage the IPs, routers, switches and other components that support the IP infrastructure. In the future, SDP and SDN controllers could be merged once SDNs proliferate. SDP can operate with or without SDN in place.

ActiveCyber: What is SPA and how does it work? What network protocols support SPA?

Koilpillai: A Single Packet Authorization (SPA) contains information about a client/device that needs to connect to a particular service all in a single packet. SPA packets can be sent using either UDP or TCP/IP protocols. SPA packets can be used to knock on the door and when the right information is presented, the door is open.

ActiveCyber: What about HIP (Host identity Protocol) – how can this protocol benefit the overall SDP implementation? What other device validation schemes may be implemented to augment SDP?

Koilpillai: In networks that implement the Host Identity Protocol (HIP), all occurrences of IP addresses in applications are eliminated and replaced with cryptographic host identifiers. The cryptographic keys are typically, but not necessarily, self-generated. SDP can use HIP as another factor to consider during the device validation process.

ActiveCyber: How does SDP enable dynamic firewalls – how is context for enforcement determined dynamically? How are firewall rules simplified?

Koilpillai: One way SDP can enforce dynamic firewalls is to base the context for enforcement on a SPA packet that contains information about valid users and devices wanting to connect to valid services sitting behind the firewall. The ability to enable firewall rules rules dynamically to open up the firewall is now controlled at the application layer which allows the default firewall rule to be “deny all.” One can’t have a more simple firewall rule than that.

ActiveCyber: How does SDP compare to other approaches or technologies in securing the cloud?

Koilpillai: Today’s approach to securing the cloud is to implement tools/technologies at the application layer to validate users, at the client level to validate devices, and at the network level to protect connections to protected services. The multiple tools/technologies are hard to integrate during operations. SDP is an elegant approach to integrate the validation of users on specific devices and protecting connections to services that are completely hidden from hackers even if those connections are made over the open Internet.

Juanita, your company’s efforts in promoting SDP and making it more accessible through the open source community are certainly impressive. SDP looks to be a great architectural approach and technology for securing the nexgen cloud and IoT environments. I believe we will see a significant uptick in the use of this technology, as there are already several new companies throwing their hat into the SDP mix.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.